初始化

.cursor/skills/security-audit/references/security-headers.md

@@ -0,0 +1,42 @@
+# 安全响应头配置
+
+## Nginx 配置（推荐）
+
+```nginx
+# /etc/nginx/conf.d/security-headers.conf
+# 在 server 块或 http 块中添加
+
+add_header X-DNS-Prefetch-Control "on" always;
+add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+add_header X-Content-Type-Options "nosniff" always;
+add_header X-Frame-Options "DENY" always;
+add_header X-XSS-Protection "1; mode=block" always;
+add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
+add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline';" always;
+```
+
+## Hyperf 中间件方式（备选）
+
+```php
+// app/Middleware/SecurityHeadersMiddleware.php
+class SecurityHeadersMiddleware implements MiddlewareInterface
+{
+    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
+    {
+        $response = $handler->handle($request);
+
+        return $response
+            ->withHeader('X-Content-Type-Options', 'nosniff')
+            ->withHeader('X-Frame-Options', 'DENY')
+            ->withHeader('X-XSS-Protection', '1; mode=block')
+            ->withHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
+    }
+}
+```
+
+## 验证安全头
+
+```bash
+curl -I https://your-domain.com | grep -iE "(strict|content-security|x-frame|x-content|referrer)"
+```